[zobzu]

yes what I meant is that MIG doesn't seem to give root access to the "investigator" through this. Of course the tool has to run as root.

GRR/osquery will actually let you run arbitrary code remotely.

[jvehent]

You are correct: MIG is designed to prevent a rogue investigator from executing random commands on systems. We do so by filtering what agents can run through modules, and by requiring OpenPGP signatures on all actions ran.

Even if the MIG platform is compromised, agents and systems are safe, as long as the keys of authorized investigators (kept on their laptops) are not compromised.